Geoff Chappell - Software Analyst
The ETW_REALTIME_CONSUMER structure is the kernel’s representation of a real-time event consumer that is connected to a logger. It is a formal object, with handles and access control. The object type is named EtwConsumer. Note that the kernel has no exported variable for this object type, presumably because only the kernel is ever involved in interpreting a handle that refers to such an object.
The ETW_REALTIME_CONSUMER structure is not documented.
For a non-trivial structure that is plainly very much internal to the kernel, the ETW_REALTIME_CONSUMER has been very stable, if only since version 6.1 settled on making the structure into an object type. The following changes of size are known.
Version | Size (x86) | Size (x64) |
---|---|---|
6.0 | 0x40 | 0x60 |
6.1 | 0x50 | 0x88 |
6.2 | 0x4C | 0x88 |
6.3 to 1511 | 0x54 | 0x98 |
1607 to 2004 | 0x58 | 0xA0 |
These sizes, and the offsets, types and names in the table below are from Microsoft’s symbol files for the kernel starting with Windows 7. The implementation in version 6.0, predating the object type, is very different and type information seems not to have made it into the public symbol files for Windows Vista, but there is evident continuity.
Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
---|---|---|---|---|
0x00 | 0x00 |
LIST_ENTRY Links; |
6.0 and higher | |
0x08 (6.0) | 0x10 (6.0) | unknown HANDLE to pipe | 6.0 only | |
0x0C (6.0); 0x08 |
0x18 (6.0); 0x10 |
HANDLE ProcessHandle; |
6.1 and higher | |
0x10 (6.0) | 0x20 (6.0) | unknown 32-bit sequence number as consumer ID | 6.0 only | |
0x14 (6.0) | 0x24 (6.0) | unknown 32-bit process ID | 6.0 only | |
0x18 (6.0) | 0x28 (6.0) |
ULONG BuffersLost; |
6.0 only | next at 0x28 and 0x50 |
0x1C (6.0) | 0x2C (6.0) |
BOOLEAN NewBuffersLost; |
6.0 only | next at 0x35 and 0x5D |
0x0C | 0x18 |
EPROCESS *ProcessObject; |
6.1 and higher | |
0x20 (6.0); 0x10 |
0x30 (6.0); 0x20 |
PVOID NextNotDelivered; |
6.0 and higher | |
0x24 (6.0); 0x14 |
0x38 (6.0); 0x28 |
PVOID RealtimeConnectContext; |
6.0 and higher | |
0x28 (6.0) | 0x40 (6.0) | unknown KEVENT | 6.0 only | |
0x18 | 0x30 |
KEVENT *DisconnectEvent; |
6.1 and higher | |
0x1C | 0x38 |
KEVENT *DataAvailableEvent; |
6.1 and higher | |
0x20 | 0x40 |
ULONG *UserBufferCount; |
6.1 and higher | |
0x24 | 0x48 |
SINGLE_LIST_ENTRY *UserBufferListHead; |
6.1 and higher | |
0x28 | 0x50 |
ULONG BuffersLost; |
6.1 and higher | previously at 0x18 and 0x28 |
0x38 (6.0); 0x2C |
0x58 (6.0); 0x54 |
ULONG EmptyBuffersCount; |
6.0 and higher | |
0x30 | 0x58 |
ULONG LoggerId; |
6.1 only | |
USHORT LoggerId; |
6.2 and higher | |||
0x3C (6.0); 0x34 (6.1) |
0x5C |
BOOLEAN ShutDownRequested; |
6.0 to 6.1 |
next in Flags |
0x35 (6.1) | 0x5D (6.1) |
BOOLEAN NewBuffersLost; |
6.1 only |
previously at 0x1C and 0x2C; next in Flags |
0x36 (6.1) | 0x5E (6.1) |
BOOLEAN Disconnected; |
6.1 only |
next in Flags |
0x32 | 0x5A |
union { UCHAR Flags; struct { /* bit fields, see below */ }; }; |
6.2 and higher | |
0x38 (6.1); 0x34 |
0x60 |
RTL_BITMAP ReservedBufferSpaceBitMap; |
6.1 and higher | |
0x40 (6.1); 0x3C |
0x70 |
UCHAR *ReservedBufferSpace; |
6.1 and higher | |
0x44 (6.1); 0x40 |
0x78 |
ULONG ReservedBufferSpaceSize; |
6.1 and higher | |
0x48 (6.1); 0x44 |
0x7C |
ULONG UserPagesAllocated; |
6.1 and higher | |
0x4C (6.1); 0x48 |
0x80 |
ULONG UserPagesReused; |
6.1 and higher | |
0x84 |
BOOLEAN Wow; |
6.1 only | next in Flags | |
0x4C | 0x88 |
ULONG *EventsLostCount; |
6.3 and higher | |
0x50 | 0x90 |
ULONG *BuffersLostCount; |
6.3 and higher | |
0x54 | 0x98 |
ETW_SILODRIVERSTATE *SiloState; |
1607 and higher |
Version 6.2 consolidated some one-byte booleans into UCHAR bit fields as Flags, and added one:
Mask (x86) | Mask (x64) | Definition | Versions | Remarks |
---|---|---|---|---|
0x01 | 0x01 |
UCHAR ShutDownRequest : 1; |
6.2 and higher | previously BOOLEAN at 0x34 and 0x5C |
0x02 | 0x02 |
UCHAR NewBuffersLost : 1; |
6.2 and higher | previously BOOLEAN at 0x35 and 0x5D |
0x04 | 0x04 |
UCHAR Disconnected : 1; |
6.2 and higher | previously BOOLEAN at 0x36 and 0x5E |
0x08 | 0x08 |
UCHAR Notified : 1; |
6.2 and higher | |
0x10 |
UCHAR Wow : 1; |
6.2 and higher | previously BOOLEAN at 0x84 |